docs: add docs on how to set policy by kata-runtime

Fixes: #8797 Signed-off-by: Linda Yu <linda.yu@intel.com>
2025-05-08 16:37:32 +00:00 · 2024-01-23 11:29:10 +08:00 · 2024-01-23 11:29:10 +08:00 · bb77d2d7e6
commit bb77d2d7e6
parent 1c5693be86
1 changed files with 10 additions and 0 deletions
--- a/docs/design/architecture/README.md
+++ b/docs/design/architecture/README.md
@ -349,6 +349,16 @@ The `exec` command allows an administrator or developer to enter the

 See [the developer guide](../../Developer-Guide.md#connect-to-debug-console) for further details.

+### policy command
+
+The `policy set` command allows an administrator or developer to set the policy
+to [VM root environment](#environments). In this way, we can enable/disable
+kata-agent API through policy.
+The command is: `kata-runtime policy set policy.rego --sandbox-id XXXXXXXX`
+
+Please refer to [`genpolicy tool`](../../../src/tools/genpolicy/README.md) to see how to generate `policy.rego` mentioned above.
+And more about policy itself can be found at [Policy Details](../../../src/tools/genpolicy/genpolicy-auto-generated-policy-details.md).
+
 ### Configuration

 See the [configuration file details](../../../src/runtime/README.md#configuration).